Multi-factor Authentication: Resistance is futile

One of the most reliable ways to achieve secure logins is multi-factor authentication, but too many people are still avoiding it. And for no clear reason, since the new solutions on the market are making it simpler and easier to use.

In a rare case of unity across the admin vs. user universe, almost everyone agrees that passwords are a problem. PINs (Personal Identification Numbers) seem like a valid alternative, but they are just a numerical form of password, although with some solutions the PIN provides extra security because it’s tied to a specific device. Multi-factor authentication, or MFA as it’s known in IT security circles, presents a valid solution to the password problem.

From the user’s perspective, keeping up with a multiplicity of passwords is one of the never-ending aggravations of modern life. They tell you that you must make your passwords long and complex, and devoid of words or numbers that are associated with you (such as kids’ or pets’ names, birth dates, social security numbers, addresses, etc.) so they can’t be guessed. They tell you that you must not reuse the same password for more than one account. They make you change your password every X number of days. And then to add insult to injury, they tell you that you mustn’t write your passwords down. All in all, maintaining your passwords is an exercise in frustration.

Passwords – more of a problem than a solution

From the IT professional’s perspective, passwords are notoriously insecure. No matter how you try to enforce password policies, many users will try almost everything to make it easier for them to access the resources they need. They’ll leave their passwords on sticky notes, tell them to friends, make them as simple as possible, or they’ll just forget them and be coming constantly to you to reset them. Most “strong” passwords, such as those using clever tricks (substituting 3 for E or adding an exclamation point at the end to satisfy complexity requirements) aren’t; hackers and crackers are onto those games.

A password, in order to be effective, must be kept secret – but most people aren’t so good at keeping secrets. From a more technical point of view, passwords are “shared secrets,” also known as a symmetric authentication system, because in order to use it not only does the user have to know it but the server to which the user authenticates has to know it as well. If the server is breached – as we’ve seen this happen in so many headline news stories – the secret is out and the passwords it stored can be used by unauthorized persons to access the users’ accounts.

The biggest problem with passwords is that they aren’t tangible, and that makes them hard to protect. So what’s the solution? Instead of (or better, in addition to) requiring “something you know” (a password), we can authenticate users’ identities by requiring “something you have” or “something you are.” The former can be a smart card, token, or – as is increasingly popular – your cell phone or wearable device. The latter refers to a unique biometric identifier such as your fingerprint, facial structure, iris pattern, or even perhaps in the future, your DNA. Unlike with passwords, both of these have a physical element that must be present.

Combining two or more different authentication methods, such as a password or PIN plus a physical factor, is orders of magnitude more secure because of the unlikelihood of an attacker being able to obtain or emulate both.

Outdated and complex solutions don’t solve the issue either

Smart cards and biometrics have been around for a long time, but many businesses didn’t implement them because of cost and learning curve. Human nature dictates that most people prefer to keep doing things the way they always have, even when there’s a better way. And there are always objections raised when a new way is proposed: cards will get lost or left at home, people don’t want to install authentication software on their phones… Individual users didn’t even consider MFA, as it often wasn’t supported by their hardware and software. Those who did often found it to be imperfect and unreliable, and gave up after failed attempts to use it to unlock their devices or files.

Smart cards have been S.O.P. in many security-conscious companies for a while, but they involve carrying around another piece of plastic in an already-overloaded wallet. Why not make the second factor connect with something that everyone always carries anyway? Some organizations incorporate the smart card into the ID badge, but others are turning to the device that can’t live without: our smart phones. Multi-factor authentication via phone is now gaining ground in the consumer space, too.

Many MFA systems, such as Microsoft’s, Amazon’s and Google’s, allow you to set up multi-factor authentication for your online accounts. The first factor is the traditional user name and password (or PIN), while the second is either a phone call that you answer to obtain a verification code, or a phone app notification in which you enter your pre-set PIN. Microsoft just recently released a new version of their Microsoft Authenticator app for Android and iOS that lets you perform MFA for both your Azure business account and your personal and/or business Microsoft account.

What about biometrics? It was once expensive and didn’t always work very well. As with all technology, though, it’s been getting better and at the same time, it’s been getting cheaper. Recent iterations of smart phones have incorporated fingerprint scanners and unlike with their first attempts, they actually work most of the time. I use fingerprint recognition with my Galaxy Note and it’s quick and convenient. Since I use the fingerprint instead of a PIN, that’s only one factor – albeit a more secure one.

New players are making it even easier for users

The real shining star of biometric authentication today, and the one that may bridge the gap between business and home and bring biometrics to the consumer masses, is Windows Hello in Windows 10. The popularity of the Surface devices is making this option available to more computer users, and it’s also supported by some third party laptops from HP and Lenovo.

I’ve been using Windows Hello since I got my Surface Pro 4, and I’ll admit that I love it. I sit down at my Surface, connected to a docking station with all necessary peripherals connected, look at the screen, and I’m in. No laborious typing in credentials every time I leave for ten minutes and come back to a locked screen.

It recognizes me with or without my glasses, with my hair up or down, and with or without makeup (scary as the latter might be) – because I “trained” it when I set it up to recognize all those modes. But lest you think it’s not vigilant enough, many other people have tried to unlock it with their faces, including a couple of friends who look vaguely like me (similar face size and shape, hair styles, etc.) and it was a “no go.” Oh, and if it does fail to recognize you – which might happen if you change your look drastically – you can still log on with password or PIN.

You might be thinking at this point: Wait a minute. That’s cool, but that’s not MFA if you’re using your face or a password to authenticate, instead of both. Windows Hello can be used in conjunction with Microsoft Passport, or Passport for Work with Azure Active Directory, or a Microsoft account to achieve two-factor authentication with apps and services.

MFA is still optional for most consumer-targeted services, and not available at all on some. However, as password compromise and breaches become more and more of a problem – with consequences such as identity theft and loss or exposure of sensitive personal or business information – it seems likely that both business and home users will gravitate toward more secure authentication options in the future.

About the Author: Debra Littlejohn Shinder

Debra Littlejohn Shinder has been working and writing in the field of IT security since 1998. She’s an author of and contributor to over 25 books on computer technology, including “Scene of the Cybercrime,” based on her previous experience as a police officer and police academy instructor. Deb is owner and CEO of TACteam (Training, Authoring and Consulting) and has contracted with Microsoft, Intel, HP, Prowess Consulting, Sunbelt Software, GFI Software, ConfigureSoft, 2X Software and other software and hardware companies. She currently writes articles and blogs for Windowsecurity.com, WindowsNetworking.com and CloudComputingAdmin.com as well as GFI’s Talk Tech to Me and Patch Central, and has published more than 1800 articles for web sites and print magazines. Deb has been a Microsoft MVP in the area of enterprise security for the past eleven years.

1 Comment

Mirian Shade January 17, 2017 at 2:44 pm

Hey Debra,

Great Post indeed! Passwords are today totally old school and are vulnerable to hacks so need of additional security layer is essential. BioMetrix, Digital Certificates, OTPs or even a challenge question may serve the purpose of protecting your online information. So bid a bye to passwords and embrace new trends. Keep sharing such useful tips!